AmazonCognitoIdentityProviderException：用户无权对资源执行 cognito-idp:DescribeUserPool

Question

I am learning integrating AWS with an ASP .NET Core site. I am using AWS Cognito as a user store. I have created a sign-up form which actually acts as an interface to AWS Cognito. So far I have done the following steps:

1. Created an User Pool in AWS Cognito.

2. Created an User in IAM service. Attached the existing policy "AmazonCognitoDeveloperAuthenticatedIdentities" to this User.

3. Created a credentials file in Windows in the user profile directory. Set the aws_access_key_id and aws_secret_access_key in this file

4. In the appsettings.json file created an AWS section and set keys as below (I have hidden the User Pool Client Secret):

    "AWS": { "Region": "us-east-2", "UserPoolClientId": "44m80ksabq0knieeg81ina2npj", "UserPoolClientSecret": XXXXXX, "UserPoolId": "us-east-2_115WHTcaH" }

5. I have imported the Amazon.AspNetCore.Identity.Cognito and Amazon.Extensions.CognitoAuthentication nuget packages. Using these packages, I have passed CognitoUser as the T parameter to the SignInManager and UserManager of ASP .NET Core Identity classes. Below is the entire code of the controller.

    public class Accounts: Controller { SignInManager<CognitoUser> _signInManager; UserManager<CognitoUser> _userManager; CognitoUserPool _pool; public Accounts(SignInManager<CognitoUser> signInManager, UserManager<CognitoUser> userManager, CognitoUserPool pool) { _signInManager = signInManager; _userManager = userManager; _pool = pool; } [HttpPost] public async Task<IActionResult> SignUp(SignupModel model) { if (ModelState.IsValid) { var user = _pool.GetUser(model.Email); if (user.Status.= null) { ModelState,AddModelError("UserExists"; "User with this email already exists"); return View(model). } user.Attributes.Add(CognitoAttribute.Name,AttributeName. model;Email). var createdUser = await _userManager,CreateAsync(user. model;Password). if (createdUser;Succeeded) { RedirectToAction("Confirm"); } } return View(); } }

When I execute this code, I get an error when trying to create an user (await _userManager.CreateAsync(user, model.Password)) as

AmazonCognitoIdentityProviderException: User: arn:aws:iam::777844316068:user/xxxx is not authorized to perform: cognito-idp:DescribeUserPool on resource: arn:aws:cognito-idp:us-east-2:777844316068:userpool/us-east-2_115WHTcaH

I know this has to do with the Policy at IAM but I am not able to figure out the exact setting I am missing. Can someone help?

Answer 1

Your user is not an administrator add to IAM uesrs permissions AdministratorAccess

Answer 2

Go to IAM users, select user, click "add inline policy", find a service "Cognito User Pools", search the action "DescribeUserPool", add user pool arn, create a policy